When data should be deleted

Data should be deleted when it is no longer needed for authorized purposes. The period of time that information remains necessary for authorized purposes, however, is not standardized across organizations, industries, or operations. Determining the appropriate time period requires an underlying knowledge of the data a company has, how that data is classified (for example, if it includes personal information), how that data is used in the business, and any laws applicable to its retention. The most common means of determining this time period is through the process of developing and documenting data retention policies and schedules.

A data retention policy is a corporate policy that goes beyond statutory legal requirements, and directs operations about which information the company should retain, delete, or retain for a period and then delete. For data that is permitted under policy to be retained for a given period of time and then must be deleted, the retention period is generally documented in a data retention schedule. Both the policy and the schedule should reflect the types of data the company has, the laws applicable to its retention, and the risk position of the company.

HHow data can be deleted

There are a variety of methods for deleting data. These methods vary in effectiveness, from simply pressing the Delete button on a personal computer to manual destruction of the media on which the data is stored. The best method of data deletion can be determined based on the type and nature of the data and the risk associated with its exposure.

How Intellixis Inc. handles data deletion

WIntellixis Inc. does not have a business need for data stored on drives that customers return for support. To the extent possible, customers are instructed to delete, encrypt, or render irrecoverable all data stored on returned media before it is returned, with the exception that warranty returns should not be degaussed as a means of accomplishing this deletion. In some circumstances, customers may not be able to delete the data. In these cases, Intellixis Inc. follows a process for overwriting data on returned drives and solid-state drives to ensure that no data remains on them. If a returned unit is a field replaceable unit, it will be cleared using an automated process consistent with the NIST SP 800-88 guidelines for media sanitization, before being returned to the OEM or scrapped.